New Bagle worm in the wild



A new Bagle dropper and downloader, Bagle.AQ, was bulk mailed to numerous internet users yesterday, The Register reports.

The malware arrives in an email with the subject and email body "foto" and an attachment called that poses as a file containing photographs.

This zip file contains a HTML file and an executable called foto1.exe. The executable is a dropper. If activated it will kill DLL files related to the updating components of various anti-virus programs. It also attempts download an updated payload every six hours from one of more than 130 separate websites.

This payload contains a mass-mailing worm that uses its own SMTP engine to spread. It also opens backdoors on TCP port 80 and UDP port 80, allowing infected computers to be used as email relays.